1. Configuring the AccuRev®
Web Interface

This chapter describes security, session, and access settings you can use to configure the AccuRev® Web Interface (Web UI).

•	Security Considerations for Web Applications

Like other client/server applications, AccuRev takes advantage of two layers of security – the organization’s network security measures, and AccuRev’s own security settings.

Network and application security measures are typical for applications accessing data within an organization’s LAN, or over a VPN or similar secure connection, but Web applications, like the AccuRev Web Interface, present a unique set of security issues common to applications accessing data directly over the Internet.

At a minimum, we recommend you take the following measures to secure your use of the Web UI:

•

Install an SSL certificate on the machine running Tomcat to encrypt Web traffic. See http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html for information on installing and configuring SSL certificates on Tomcat. If you are using Tomcat 6.0, see http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html.

•	Implement password strength checking for the Web UI. See Setting Login Security for more information.

•

Review your existing AccuRev security measures. Consider the implications of an outsider gaining access to data stored in AccuRev. Set strong passwords for all AccuRev users, regardless of how they log in to AccuRev. Take advantage of AccuRev user and group permissions, and set ACL permissions to restrict user access by depot and stream to further secure the environment.

•	Consult with your local system administrator to determine the best way to run the Tomcat server securely within your organization’s network.

Setting Login Security

AccuRev recommends that you implement user name and password strength checking for users logging in to the AccuRev Server using the Web UI. Using the wui_config.xml configuration file, you can specify the following for both user name and password:

•	Minimum length

•	Minimum number of digits

•	Minimum number of letters

Note: AccuRev uses a single user/password combination for all interfaces, so any password change made to conform to WebUI security parameters specified in the wui_config.xml also affects your password for the AccuRev GUI and the CLI.

To change Web UI login settings:

1.	Stop the Tomcat server.

2.	Navigate to the .accurev subdirectory under the home directory of the user running Tomcat:

•	(Windows users) C:\Documents and Settings\<user name>, or C:\Users\<user name>, for example

•	(Linux users) The user’s login directory

3.	Check the .accurev subdirectory for a customized version of wui_config.xml. If there is no file by that name, copy <CATALINA_HOME>\webapps\accurev\wui_config.xml, where <CATALINA_HOME> is the Tomcat installation directory, to the .accurev subdirectory.

4.	Edit the <security> element to conform to your site’s security requirements.

<security>
<userName minLength = "0" minDigitCount = "0" minLetterCount = "0"/>
<password minLength = "0" minDigitCount = "0" minLetterCount = "0"/>
</security>

5.	Save the wui_config.xml file.

6.	Restart the Tomcat server.